Europe needs urgent cybersecurity action

EU politicians need to finalise the new EU Cybersecurity Act by the end of the year and give it all the political and financial support they can, writes Philippe Cotelle. [NASA Goddard Space Flight Center / Flickr]

Philippe Cotelle is a board member of the European Federation of Risk Management Associations (FERMA), and head of Insurance Risk Management for Airbus Defence and Space.

With at least seven parliamentary elections scheduled for in the European Union in 2019, plus European Parliament elections, the continent’s leaders are in a frenzy of damage control. The European Commission has launched initiatives to harden information technology infrastructure and fight fake news and it is organising a high-level conference in October on Election Interference in the Digital Age. Austria, which currently holds the Union’s rotating presidency, hopes to reach political agreement with the Commission and European Parliament on a new EU Cybersecurity Act before the end of the year.

Judging by the evidence, these efforts are desperately necessary to ensure that Europe’s elections and markets run smoothly. They are also possibly too late to ensure that they do so anytime soon. That means Europe needs to step up its efforts to mitigate damage even as it redoubles its efforts to mitigate cyber risks in the first place.

A US Senate report has already presented evidence that—despite heightened awareness after the 2016 elections in the United States and Brexit vote in the United Kingdom—Russia has interfered in at least 19 important elections or referendums in Europe, including national elections in France and Germany, in the past two years. The Netherlands last year took the unprecedented step of counting all the ballots in its national election by hand because they couldn’t be sure that their election systems were immune to tampering.

The private sector, for its part, is the subject of almost daily news of data breaches and malware attacks by hackers more intent on collecting ransom than interfering in elections. The Belgian national Centre for Cybersecurity says it blocks an average 3-4 phishing sites—often the starting point for a malware attack or data breach—per day. An Accenture survey of more than 4,000 executives published earlier this year found that most have improved security to the point that they can now thwart 87% of attacks—but that still leaves 13% that can cause massive damage. The Wannacry ransomware attack in 2017 affected more than 200,000 computers worldwide and inflicted hundreds of millions of euros in damages—some say a billion.

In the absence of strong mitigation measures, the frequency of such successful attacks and the scale of the damage are likely to grow. That’s because the 4th industrial revolution, the ongoing fusion of technologies and scientific disciplines sometimes called “cyber-physical systems”, is only just getting started.

Breakthroughs in artificial intelligence, machine learning, data mining, the Internet of Things, wireless technologies, 3D printing and autonomous vehicles all create a vast and growing buffet for hackers, state-sponsored or otherwise, as more and more systems interact with one another autonomously on a scale that makes those connections difficult or even impossible to really track individually. In effect, the more we digitise, the closer we get to Cybergeddon—unless we do something to stop it.

The first EU cybersecurity law went into effect on Wednesday (9 March), as negotiators continue to hammer out details of a second bill that will create even more rules in the area.

Increasingly, not just governments but organisations of all sizes are coming under pressure to demonstrate cyber readiness and resilience.

The starting point for any organisation to better mitigate such risks is better governance, starting by breaking down barriers between silos. Organisations of all sizes need at least a working group of people representing security, audit, legal, finance, information technology, data privacy and human resources, chaired by a professional risk manager. Ideally this team should report to the CEO or another Board-level executive. These teams need not only to ensure that an organisation’s software and systems meet the latest security and compliance standards but also regularly monitor operations and run fire drills to make sure people know what to do in the event of an attack—among other tasks. The Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) earlier this year published a handy how-to guide on improved cyber risk governance.

Once this is in place, then cyber insurance can efficiently help to cover residual risks. Munich Re, the reinsurance giant, says it expects companies to more than double budgets for cyber insurance by 2020.

The bad news is that Europe still has a long way to go. A 2017 UK government report found that more than two-thirds of FTSE 350 companies’ boards had no training to deal with a cyber-attack, while one in 10 had no plan in place. Only one-third of respondents to a recent survey by the European Federation of Risk Management Associations, FERMA, said their organisations had any cyber insurance.

The good news is that national governments, the European Commission and European Parliament have already taken significant steps to improve Europe’s cybersecurity structures and capabilities. After years of stringing the European cybersecurity agency, ENISA, along with temporary missions and budgets, they have now given it a clear and permanent mandate. Now they also need to finish the job by finalising the new EU Cybersecurity Act by the end of the year and giving it all the political and financial support that they can.

Next, Europe’s leaders urgently need to begin promoting a general risk management culture—for private companies and other organisations big and small—that gives Europeans the political, social and economic stability that they deserve.

A legal proposal to overhaul the EU’s cybersecurity rules passed a major hurdle on Tuesday (10 July) as the European Parliament’s Industry Committee (ITRE) approved a plan to create a voluntary system for certifying the security level of technology products.